Cloud Security Syllabus Virtualization System - specific Atacks : Guest hopping - VM migration attack - hyperjacking. Data Identity and Access Management (IAM) - IAM Challenges - IAM Architecture Security and Storage; and Practice. Contents 51 5.2 53 54 55 Overview of Cloud Security Virtualization System - specific Attack Data Security and Storage Identity and Access Management (IAM) .... Dec.-21, Two Marks Questions with Answers 6-1)Cloud Computing 5-2 Cloud Secu Overview of Cloud Security stored online via cloud computing * Cloud security is the protection of data a platforms from theft, leakage, and deletion. Methods of providing cloud security include firewalls, penetration testing, tokenization, Virtual Private Networks (VPN), and avoiding public internet connections. Cloud security refers to an array of policies, technological procedures, services, and solutions designed to support safe functionality when building, deploying, and managing cloud-based applications and associated data. Cloud security is designed to protect the following, regardless of your responsibilities : a) Physical networks - Routers, b) Data storage - Hard drives, ete. ©) Data servers - Core network computing hat eworks - Virtual machine software, host electrical power, cabling, climate controls, ete. rdware and software 4) Computer virtualization fram¢ machines and guest machines e) Operating systems (OS) - Software that houses {) Middleware - Application Programming Interface (API) management g) Runtime environments - Execution and upkeep of @ running program hh) Data - All the information stored, modified and accessed 1) Applications - Traditional software services (email, tax software, productivity suites, etc.) j) End-user hardware - Computers, mobile devices, devices, etc. Cloud computing security addresses both physical and logical security issues across all the different service models of software, platform and infrastructure. It dlso addresses how these services are delivered in the public, private, hybrid and community delivery models. Cloud Security Challenges and Risks + Cloud computing security challenges fall into three broad categories: 1. Data protection : Securing your data both at rest and in transit. mn : Limiting access to data and monitoring who accesses the Internet of Things (loT) 2. User authenticatio data. 3, Disaster and data breach : Contingency planning. TECHNICAL PUBLICATIONS® - an up-hrst for knowredgeCloud Computing 5-3 Cloud Security . Data protection : Data needs to be encrypted at all times, with clearly defined roles when it comes to who will be managing the encryption keys. User authentication : Data resting in the cloud needs to be accessible only by those authorized to do so, making it critical to both restrict and monitor who will be accessing the company's data through the cloud. In order to ensure the integrity of user authentication, companies need to be able to view data access logs and audit trails to verify that only authorized users are accessing the data. Contingency planning : With the cloud serving as a single centralized repository for a company's mission-critical data, the risks of having that data compromised due to a data breach or temporarily made unavailable due to a natural disaster are real concerns. If information is encrypted while passing through the cloud, who controls the encryption/decryption keys ? Is it the customer or the cloud vendor ? Most customers probably want their data encrypted both ways across the Internet using secure sockets layer protocol. They also most likely want their data encrypted while it is at rest in the cloud vendor's storage pool. Be sure that you, the customer, control the encryption/decryption keys, just as if the data were still resident on your own servers. Data integrity means ensuring that data is identically maintained during any operation. Cloud-based services will result in many mobile IT users accessing business data and services without traversing the corporate network. This will increase the need for enterprises to place security controls between mobile users and cloud-based services. Placing large amounts of sensitive data in a globally accessible cloud leaves organizations open to large distributed threats, attackers no longer have to come conto the premises to steal data, and they can find it all in the one "virtual" location. Virtualization efficiencies in the cloud require virtual machines from multiple organizations to be co-located on the same physical resources, Although traditional data center security still applies in the cloud environment, physical segregation and hardware-based security cannot protect against attacks between virtual machines on the same server. Operating system and application files are on a shared physical infrastructure in a virtualized cloud environment and require system, file, and activity monitoring to provide confidence and auditable proof to enterprise customers that their resources have not been compromised or tampered with. TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeCloud Computing be4 Cloud Secury se subscribes to cloud computing In the cloud computing environment, the enterprii er's rather than the resources and the responsibility for patching is the subscribs cloud computing vendor's. erative. Lack of due diligence in geable or impossible, leaving yoy The need for patch maintenance vigilance is im this regard could rapidly make the task unmanaj with "virtual patching” as the only alternative. Confidentiality : Confidentiality refers to limiting information access. Sensitive information should be kept secret from individuals who are not authorized to see the information. In cloud environments, confidentiality data in transit and storage. © Integrity can extend to how data is stored, services and cloud-based IT resources. Some common cloud security threats include : a) Risks of cloud-based infrastructure including incompatible legacy IT frameworks, and third-party data storage service disruptions. b) Internal threats due to human error such as misconfiguration of user access primarily pertains to restricting access to processed, and retrieved by cloud controls. c) External threats caused almost exclusivel malware, phishing, and DDoS attacks. Jy by malicious actors, such as Cloud Security Architecture + Cloud security architecture describes all the hardware and technologies designed to protect data, workloads, and systems within cloud platforms. Fig. 5:11 shows. NIST cloud computing security reference architecture approach The reference architecture identifies the five major cloud actors; consumer, provider, broker, carrier, and auditor. Secure cloud computing architecture encompasses three core capabilities: confidentiality, integrity, and availability. 1. Confidentiality is the ability to keep information secret and unreadable to the people who shouldn't have access to that data. 2. Integrity is the idea that the systems and applications are exactly what you expect them to be and function exactly as you expect them to function. 3, Availability speaks to Denial-of-Service (DoS) attacks. Perhaps an attacker cant see or change your data. But if an attacker can make systems unavailable to you or your customers, then you can't carry out tasks that are essential to ‘maintain your business. TECHNICAL PUBLICATIONS® - an up-thrust forCloud Computing 5-5 Cloud Secunty loud provider Clous service management ‘A person or organization that maintains a business seein Suara “uses service form, Cloud Providers. 3 A person, ste or entity ie for ee i eecvice ayallable _ to interested parti fe | | TA peiiy toapenn crust tn ier ater euoaeeaeet ot ota petiicon information system operations, performance and security of the cloud implementation. _ sr SP ey ‘An enlity that manages the use, performance and delivery of cloud services and negotiates relationships between Cloud Providers and Cloud ‘Consumers. a ‘An itecmediacy that paooiden cones hd leap ort 8 cloud serves ___ from Cloud Providers to Cloud Consumers ERE] cloud Security Services © The basic security services for information security include assurance of data confidentiality, integrity and availability. * Fig. 5.1.2 shows organization of data security and privacy in cloud computing. TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeCloud Computing 6 Cloud Secunty Data integrity [Data confidentiality [Data security and privacy] Data availability Data privacy f° Fig. 5.1.2 1. Confidentiality : Confidentiality refers to limiting information access. Sensitive information should be kept secret from individuals who are not authorized to see the information. In cloud environments, confidentiality primarily pertains to restricting access to data in transit and storage. © Data confidentiality is important for users to st data in the cloud. Authentication and access control strategies are used to ensure data confidentiality. The data confidentiality, authentication and access control issues in cloud computing could be addressed by increasing the cloud reliability and trustworthiness. Because the users do not trust the cloud providers and cloud storage service providers are virtually impossible to eliminate potential insider threat, it is very dangerous for users to store their sensitive data in cloud storage directly. Simple encryption is faced with the key management problem and cannot support complex requirements such as query, parallel modification and fine-grained store their private or confidential authorization. 2. Integrity : © This service protects data from malicious modification. When having outsource their data to remote cloud servers, cloud users must have a way to check whether or not their data at rest or in transit are intact. Such a security service would be of the core value to cloud users. Integrity can extend to how data is stored, processed and retrieved by cloud services and cloud-based IT resources. TECHNICAL PUBLICATIONS® - an up-thrust for knowledger cloud Computing 2 5-7 Cloud Security Data integrity in the cloud system means preserving information integrity. The data should not be lost or modified by unauthorized users. Data integrity in the cloud system means preserving information integrity. The data should not be lost or modified by unauthorized users, Data integrity is the basis to provide cloud computing service such as SaaS, PaaS and IaaS. Besides data storage of large-scaled data, cloud computing environment usually provides data processing service. Data integrity can be obtained by techniques such as RAID-like strategies and digital signature. Availability : ¢ This service assures that data stored in the cloud are available on each user retrieval request. This service is particularly important for data at rest in cloud servers and related to the fulfillment of service level agreement. Data availability means the following : When accidents such as hard disk damage, IDC fire, and network failures occur, the extent that user's data can be used or recovered and how the users verify their data by techniques rather than depending on the credit guarantee by the cloud service provider alone. The cloud service provider should ensure the data security, particularly data confidentiality and integrity. The cloud provider should share all such concerns with the client and build trust relationship in this connection. The cloud vendor should provide guarantees of data safety and explain jurisdiction of local laws to the clients. Disaster recovery plan is a plan designed to recover all the vital business processes during a disaster with in a limited amount of time. This plan has all the procedures required to handle the emergency situations. * A disaster recovery process should have provable recovery capability, and hence it provides the most efficient method to be adopted immediately after a disaster occurs. Security Authorization Challenges in Cloud * Authorization is the function of specifying access rights/privileges to tesources related to information security and computer security in general and to access control in particular. Authorization determines what the user can access and what he cannot access TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeCloud Computing 5-8 Cloud Security 4. Auditing : ; Cloud security audit can help by assessing and prioritizing risks, evaluating current controls, identifying the gaps in existing cloud security strategy and programs and making recommendations tied to business priorities. © Functions performed by IT auditors : a. Backup controls b, Data center security c. System development standards d, System and transaction controls e. Contingency plan. 2. Accountability : ‘© This is the process that keeps track of a user's the trail included the amount of time attache much data transferred. * Accounting data is used for trending, detecting breaches and forensic investigating. Keeping track of users and their activities serves many Purposes. «For example, tracing back to events leading up to a cyber security incident can prove very valuable to a forensics analysis and investigation case. activity while attached to a system; d, the resources accessed, and how Cloud Security Threats 1. Traffic eavesdropping * Data being passively intercepted by a malicious service agent for illegitimate information gathering purpose while being transferred to or within a cloud Intercepted message copy Fig. 5.1.3 « Aim to discredit the confidentiality of data and the relationship between the cloud consumer and cloud provider. « It is hard to detect for a long period of time because of passive nature of the attack. TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeyr coud Computing Crowd 5-9 Cloud Security 2, Malicious intermediary + Messages intercepted and altered by a malicious service agent discrediting the message's confidentiality and/or integrity. « Possible malicious contents insertion before forwarding it to its destination. Cloud service consumer Intercept and alter message Fig. 5.1.4 3. Denial of Service (DoS) «Intentional sabotage on shard physical IT resource by overloading it so that the IT resource can hardly be allocated to other consumers sharing the same IT resource. «Typically intentional overloading shared IT resource by generating excessive messages, consuming full network bandwidth, or sending multiple requests that consume excessive CPU time and memory. 4, Insufficient authorization * A case when access is granted to an attacker erroneously or too broadly, resulting in the attacker getting access to IT resources that are normally protected. © Another case (Weak Authentication) when weak passwords or shared accounts are used to protect IT resources. Legitimate Malicious consumer attacker Fig. 5.1.5 5. Virtualization attack (Overlapping Trust Boundaries) «Physical resources shared by multiple virtual users in virtualized environment by the nature of resource virtualization. + Possible inherent risk that some cloud consumers could abuse their access right to attack the underlying physical IT resources. TECHNICAL PUBLICATIONS® - an up-thrust for knowledge |any | Cloud Computing 5-10 Secure Cloud Software Requirement + Requirements of éecure cloud software are as follows : 1. Secure development practices : It includes data handling, code practices, language options, input validation and content injection, physical security of the system, 2 Approaches to cloud software requirements engineering * : ae jrpectve on coud saflvare security requirements, goose! sofware security requirements and monitoring intemal and external requirements. 3 Cloud security policy implementation and decomposition ested implementation issues, decomposing critical security issues into hoveutianten software requirements (Confidentiality, integrity, avait» ahentcation and identification, authorization, auditing) Virtualization System - specific Attacks ad categories : din transit. toring who accesses the © Cloud computing security challenges fall into three bros 1, Data protection : Securing your data both at rest an‘ 2. User authentication : Limiting access to data and moni data. 3, Disaster and data breach : Contingency planning. ; Data protection : Data needs to be encrypted at all times, with clearly defined roles when it comes to who will be managing the encryption keys. User authentication : Data resting inthe cloud needs to be accessible only by those authorized to do so, making it critical to both restrict and monitor who will be accessing the company's data through the’ cloud. In order to ensure the integrity of user authentication, companies need to be able to view data access logs and audit trails to verify that only authorized users are accessing the data. Contingency planning : With the cloud serving as a single centralized repository for a company’s mission-critical data, the risks of having that data compromised due to a data breach or temporarily made unavailable due to a natural disaster are real concerns. If information is encrypted while passing through the cloud, who controls the encryption/decryption keys ? Is it the customer or the cloud vendor ? Most customers probably want their data encrypted both ways across the Intemet using secure sockets layer protocol. They also most likely want their data encrypted while it is at rest in the cloud vendor's storage pool. Be sure that you, the customer, control the TECHNICAL PUBLICATIONS® - an upthus for inowedgeloud Computing 5-11 Cloud Secunty encryption/decryption keys, just as if the data were still resident on your own servers. Data integrity means ensuring that data is identically maintained during any operation. Cloud-based services will result in many mobile IT users accessing business data and services without traversing the corporate network. This will increase the need for enterprises to place security controls between mobile users and cloud-based services, Placing large amounts of sensitive data in a globally accessible cloud leaves organizations open to large distributed threats, attackers no longer have to come onto the premises to steal data, and they can find it all in the one "virtual" location. Virtualization efficiencies in the cloud require virtual machines from multiple organizations to be co-located on the same physical resources. Although traditional data center security still applies in the cloud environment, physical segregation and hardware-based security cannot protect against attacks between virtual machines on the same server. Operating system and application files are on a shared physical infrastructure in a virtualized cloud environment and require system, file, and activity monitoring to provide confidence and auditable proof to enterprise customers that their resources have not been compromised or tampered with. In the cloud computing environment, the enterprise subscribes to cloud computing resources, and the responsibility for patching is the subscriber's rather than the cloud computing vendor's. The need for patch maintenance vigilance is imperative. Lack of due diligence in this regard could rapidly make the task unmanageable or impossible, leaving you with "virtual patching” as the only alternative. Confidentiality : Confidentiality refers to limiting information access. Sensitive information should be kept secret from individuals who are not authorized to see the information. In cloud environments, confidentiality primarily pertains to restricting access to data in transit and storage. Integrity can extend to how data is stored, processed, and retrieved by cloud services and cloud-based IT resources. 3 Some common cloud security threats include : a) Risks of cloud-based infrastructure including incompatible legacy IT frameworks, and third-party data storage service disruptions. TECHNICAL PUBLICATIONS® - an up-thrust for knowledgea 12 Cloud Security ‘Cloud Computing 5- i i f user b) Internal threats due to human error such as misconfiguration © access controls. = ch ; icious actors, su ©) External threats caused almost exclusively bY malicious as malware, phishing, and DDoS attacks. Guest - hopping Attack * In guest-hopping attacks, due infrastructures, an attacker gets access virtual machine hosted in the same hardware. to the separation failure between shared to a virtual machine by penetrating another ttack is the Forensics and VM mise the virtual machine. IAP), which provides a * One possible mitigation of guest-hopping a! debugging tools to observe any attempt to compro! Another solution is to use the High Assurance Platform (Hi high degree of isolation between virtual machines. cker’has found a vulnerability in oper configurations of both the Guest to host attack/guest escape : Once the atta the virtualization layer in combine with imp? host and the guest, attacker can bypass the virtualization layer and access the host machine. Since the host machine contains multiple guests, the guest machines and monitor any interaction between the In addition, the attacker can lunch various attacks, like, corrupting resources, memory, CPU and launch arbitrary code. Guest to guest attack / guest hopping : In this attack, the attacker can inject a malware in one guest, and once attacker gets a control over the virtual machine, they can spread this malware to other virtual machines or attacking the virtualization layer itself. Thus, controlling all the virtual machines that exist on the host machine. The attacker then can monitor the like, CPU, memory, etc. which affects the . the attacker can control all guests and the host. usage of various "resources, confidentiality of the guest machine. In addition, the attacker has the ability to manipulate existing data in the virtual machines, modifying their configurations, injecting malicious code, ete. Thus, affecting the integrity and the availability of the data. © Guest mobility : Guest machine contents are stored as files in the host machine's hard desk drive, thus, easing the process of transferring or copying the contents of one guest to another host through the network. With this usability, security problems arise, if the guest is infected with malicious malware, the other host will be contaminated with the same malware. Thus, the TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeCloud Computing 5-13 Cloud Security attacker will have control over multiple virtual machines on multiple hosts and possibly use the same technique to affect multiple virtual machines, Guest denial of service attack : In virtualization, the host machine allocates resources such as RAM, CPU, storage and network bandwidth for each guest machine. DOS attack occurs when one guest machine occupies all the resources resulting in denying other guest machines from utilizing host's resources, Virtual machine overflow : In this attack, the attacker runs a malicious script on the guest machine and fills the allocated memory region with meaningless characters, exceeding the allowed boundaries for the guest machine and as a result the machine crashes. After that, the attacker can access the host's memory pointer's and directing them to run the attacker's malicious script. By that, the attacker can gain root access over the host machine and thus having access over all the Suest machines that resides in the host machine. Virtualization memory leak : Each guest machine has a specific space in host's memory and if the host did not properly free the allocated memory, a virtual memory leak can occur. The attacker can exploit this vulnerability by using this allocated space to execute several attacks, like DOS and buffer overflow attack. [EZZ] vm Migration Attack : Hyperjacking Hyperjacking is another illicit method that can be used to spy on victims, control devices and steal valuable information. Hyperjacking involves the compromise and unauthorized control of a virtual machine. Hypervisors form the backbone of virtual machines. These are software programs that are responsible for creating, running and managing VMs. A single hypervisor can host multiple virtual machines, or multiple guest operating systems, at one time, which also gives it the alternative name of Virtual Machine Manager (VMM). There are two kinds of hypervisors. The first is known as a “bare metal” or “native” hypervisor, with the second being a "host" hypervisor. Hyperjacking involves installing a rogue hypervisor that can take complete control of a server. Regular security measures are ineffective because the OS will not even be aware that the machine has been compromised. Hypervisors are the key target of hyperjacking attacks. In a typical attack, the original hypervisor will be replaced via the installation of a rogue, malicious hypervisor that the threat actor has control of. By installing a rogue hypervisor TECHNICAL PUBLICATIONS® - an up-thrust for knowledgea y . Cloud Computing 5 Seaury the k under the original, the attacker can therefore gain control of aon hypervisor and exploit the VM. i machine, the attacker can, in * By having control over the hypervisor of a virtual P turn, gain control of the cette VM server. This means that they can manipulate anything in the virtual machine. * This mechanism is due to a lack of separation flows, guest OS access to the hypervisor (e.g, Via OS), or an unpatched system. The exploitation of : attacker gaining unlimited access to the entire virtualizati VMs. This attack mechanism can result from poorly manag' flows as well as poorly managed shared access to resources. between control flows and data a management tool on the guest this mechanism can result in the ion server and the guest ed control and data Virtual machine migration services : * VM migration are of two types : Hot migration and cold migration. }) Hot migration : + A hot migration is referred to as a live migration. It is a the virtual machine stays powered on during the initial full synchronization and the subsequent delta sync, using the vSphere vMotion feature. staged migration where * There are two types of hot migration : 1. Compute resource - A migration of a virtual server from one compute resource to another. 2. Full migrate - A migration of a virtual server with or without disks and NICs between compute resources, data stores and networks. © The live migration process transfers the VM memory, network connectivity and storage as the OS continues to run. The obvious advantages of a live migration are that we do not have to interrupt operations. The best time to do a live migration on VMware is when server needs maintenance or an update, or when we need to switch a VM to a different host. «The process allows for : 1. A clean separation between hardware and software, including the separation of concerns between the users and operator of a data center or cluster. Consolidation of clustered hardware into a single management domain. This means that if we need to remove a certain physical machine from service for maintenance, we can migrate OS instances to one or more alternative machines to relieve the load on congested host machines. Live migration can also be used for load balancing in which work is shared among computers in order to optimize the utilization of available CPU resources TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeCloud Computing 5-15 Cloud Security ii) Cold migration * Cold migration involves moving a powered-off or suspended virtual machine to a ew host. It also usually means relocating configuration and disk files for these Powered-off or suspended virtual machines to new storage locations. * Cold migration includes moving virtual machines from one virtual switch to another or from one data center to another. Fig. 5.2.1 shows cold migration. Configuration data Fig. 5.2.1 Cold migration Cold migration is easy to implement and is summarized as follows : 2) The configuration files, including NVRAM file, log files and the disks of the Virtual machines, are moved from the source host to the destination host's associated storage area. b) The virtual machine is registered with the new host. ) After the migration is completed, the old version of the virtual machine is deleted from the source host. IEE] Data Security and Storage * Cloud computing security challenges fall into three broad categories : 1. Data protection : Securing your data both at rest and in transit 2. User authentication : Limiting access to data and monitoring who accesses the data 3. Disaster and data breach : Contingency planning, * Data protection : Data needs to be encrypted at all times, with clearly defined roles when it comes to who will be managing the encryption keys. * User authentication : Data resting in the cloud needs to be accessible only by those authorized to do so, making it critical to both restrict and monitor who will be accessing the company’s data through the cloud. In order to ensure the integrity TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeCloud Computing 5-16 Cloud Seo, of user authentication, companies need to be able to view data access logs ang audit trails to verify that only authorized users are accessing the data. Contingency planning : With the cloud serving as a single centralized repository for a company's mission-critical data, the risks of having that data compromiseg due to a data breach or temporarily made unavailable due to a natural disaster are real concerns, Security challenges for cloud service customers : 1. Ambiguity in responsibility : A CSC uses services based on different service categories as well as different deployment models. If the responsibilities are not clearly defined in any of these cases then it may result in inconsistency or may leave an open gate for attacks. 2. Loss of trust : Because of the abstraction of the security implementation details between a CSC and a CSP, it is difficult for a CSC to get details of the security mechanisms that the CSP has implemented to keep the cloud data secure. 3. Loss of governance : When the CSC uses cloud services, it has to move its data onto the cloud and has to provide certain privileges to the CSP for handling the data in the cloud. This may result in misconfiguration or an attack due to the abstraction of the CSP’s cloud practices and due to the privileges that need to be given to the CSP. 4. Loss of privacy : CSC's privacy may be violated due to leakage of private information while the CSP is processing CSC's private data or using the private information for a purpose that the CSP and CSC haven't agreed upon. 5. Cloud service provider lock-in : This issue arises if a CSP doesn't abide by the standard functions or frameworks of cloud computing and hence makes it difficult for a CSC using its services to migrate to any other CSP. The use of non-standard functions and «cloud framework makes the CSP non-inter-operable with other CSPs and also leaves CSC open to security attacks. 6. Misappropriation of intellectual property : A CSC may face this challenge due to the possibility that a CSC's data on the cloud might leak to third parties that are using the same CSP for their cloud services. This leakage may violate the CSC's copyrights and may result in the disclosure of CSC's private data. 7. Loss of software integrity : A CSC encounters this challenge due to the fact that its software is running in the cloud once it is given to the CSP. It is possible that this software might be tampered with or might be affected while the software is running in the CSP and is not in CSC's control, resulting in CSC's loss over its software. TECHNICAL PUBLICATIONS® - an up-hrust for knowledgeevs comping ud Scuty 1d Secunty [EEEI Advantages « Data centralization } service provider takes responsibility of storage and small organization need not spend more money for personal storage device. Incident response : IaaS providers contribute dedicated legal server which can be used on demand. + Forensic image verification time, + Logging : storage requirement for benchmark logs is mechanically solved. [EEE Disadvantages + Loss of control : The enterprise's loss of control in enhancing the network's security is the most significant disadvantage of cloud computing security. The responsibility of securing the network is shared between the Cloud Service Provider (CSP) and the enterprise. + Reduced visibility and control : when migrating to a cloud based computing model, organizations will lose a degree of visibility and control, with some responsibility for policies and infrastructure moving to the cloud provider. Unsecure API and interfaces. Data segregation. 15.4 | Identity and Access Management (IAM) Identity and Access Management (IAM) can help a user to manage to compute, store, manage and application services in the AWS cloud. It uses access control techniques through which a user is familiar with which includes users, groups and Peer permission. With the help of a single AWS IAM, the user can manage the customer and their needs. It provides Amazon AWS building blocks which help the user to build the applications for the security purpose. AWS identity and access management help the user to focus on the features and functionality which includes the security on the other side of the things. AWS IAM can also rotate access keys on the virtual machine instances. * Functions : 1. To manage AWS IAM users and their access. 2. To manage Amazon IAM roles and their permissions. 3. To manage to federate users and their permissions. TECHNICAL PUBLICATIONS® - an up-thrust for knowledgeGloud Computing 5-18 Cloud Security Identity Management and Access Control . [AWS Identity and Access Management (IAM) is @ securely control access to AWS resources. When you first create an AWS account, web service that helps you you begin with a single sign-in identity and resources in the account. This that has complete access to all AWS services Soee aae ig accessed by signing in with the identity is called the AWS account Fr email address and password that you used (0 © For each AWS account, For each user, you can give di IAM Users are account environment with a want to view or ad Permissions can be applied indi permission assignments is to assign IAM. group: allowing the members of the group access assigne: ‘oot user ani rreate the account. you can create multiple users with different credentials, ifferent rights. objects that allow an individual user to access your AWS You can issue user accounts to anyone you within your AWS environment, but the best practice for set of credentials. minister objects and resources vidually to a uset, them via the use of groups. s are objects that have permissions assigned to them via policies to specific resources. Having users .d to these groups allows for a uniform approach to access management and control. IAM roles are again obj associated to them. However, roles are assigned to in: adopt the permissions given by the role without tects created within IAM which have policy permissions instead of being associated with users as groups are, stances at the time of launch. This allows the instance to the need to have access keys stored locally on the instance. Security groups ar e used to control access to EC2 instances. Because AWS uses flat Layer 3 networking, any instance within a user account can communicate with any other instance. AWS Identity Access Management allows to establish access rules and permissions to specific users and applications. 1 Create user groups for common rules assignment. . Cloud Trail allows to monitor the access. . Identity federation : allow users to log in with their company credentials. Veen Set up permissions for users and applications. Temporary security credentials, obtained i ; useneRole of GetFederationToken, by calling AWS STS APIs like « IAM policy - A document that define: 7 conditions. lefines the effect, actions, resources, and optional « IAM role - An identity with permission policies, to which users can be assigned: TECHNICAL PUBLICATIONS® + an up-thrust for knowledgeCloud Computing 5-19 + IAM group - A group of users to which common policies can be attached. * Best practices regarding security groups are as follows : 1. Avoid using the default security group. . Use meaningful names. . Open only the ports you need to open. Partition applications. en a . Restrict system administrator access. Security Policies | © User can manage access in AWS by creating policies and attaching them to [AM identities or AWS resources. * A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal entity (user or role) makes a request. «IAM policies define permissions for an action regardless of the method that you use to perform the operation. Types of Policy : 1. Identity-based policies : Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based’ policies grant permissions to an identity. Resource-based policies : Attach inline policies to resources. For example : resource-based policies are Amazon $3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to a principal entity that is specified in the policy. Principals can be in the same account as the resource or in other accounts. 3. Permissions boundaries : Use a managed policy as the permissions boundary for an IAM entity (user or role), That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. 4. Organizations SCPs : Use an AWS Organizations Service Control Policy (SCP) to define the maximum permissions for account members of an organization or Organizational Unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do x not grant permissions. Access Control Lists (ACLs) : Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions TECHNICAL PUBLICATIONS® - an up-thrust for knowledge‘Cloud Computing & 2 Cloud Security policies that grant permissions to the specified principal entity. ACLs cannot grant permissions to entities within the same account. Session policies : Pass an advanced session policy when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user's identity-based policies grant to the session, Session policies limit permissions for a created session, but do not grant permissions. 1AM Abilities and Limitation Path names must begin and end with a forward slash (/). profiles and server certificates Names of users, groups, roles, policies, instance must be alphanumeric, including the following common characters : plus (+), equal (=), comma (,), period (,), at (@), underscore (_), and hyphen (-). Names of users, groups and roles must be unique within the account. characters. User passwords (login profiles) can contain any Basic Latin (ASC) EEZZJ Machine Imaging Machine imaging is a process that is used to provide system portability and provision and deploy systems in the cloud through capturing the state of systems using a system image. A system image makes a copy or a clone of the entire computer system inside a single file, The image is made by using a program called system imaging program and can be used later to restore a system image. For example : Amazon Machine Image (AMI) is a system image that is used in the cloud computing. The Amazon Web Services uses AMI to store copies of a virtual machine. An AMI is a file system image that contains an operating system, all device drivers and any applications and state information that the working virtual machine would have. a The AMI files are encrypted and compressed for security purpose and stored in Amazon $3 (Simple Storage System) buckets as a set of 10 MB chunks. Machine imaging is mostly run on virtualization perform due to this it is also called as virtual appliances and running virtual machines are called instances. The AMI file system is not a standard bit-for-bit image of a system that is common to many disk imaging programs. AMI omits the kernel image and stores a pointer to a particular kernel that is part of the AWS kernel library. TECHNICAL PUBLICATIONS® - an up-thrust for knowledgecomputing . cloud COMP 5-21 Cloud Sacurtty among the cick are Red Hat Linux, Ubuntu, Microsoft Windows, Solaris and others. Files in AMI are compressed and i ee ee encrypted and an XML file is written that Machine Images are sometimes referred to as ” . n as “virtual appliances”, syst meant to run on virtualization platforms, Coe at 5.4.5 | IAM Challenges + The major challenges faced by the IAM in the cloud are as follows : 1, Identity provisioning / de-provisioning + This concerns with providing a secure and timely management of on-boarding (provisioning) and off-boarding (de-provisioning) of users in the cloud. When a user) has successfully authenticated to the cloud, a portion of the system resources in terms of CPU cycles, memory, storage and network bandwidth is allocated. Depending on the capacity identified for the system, these resources are made available on the system even if no users have been logged on. 2.Maintaining a single ID across multiple platforms and organizations + It is tough for the organizations to keep track of the various logins and ID that the employees maintain throughout their tenure. The centralised federated identity management is the answer for this issue. Here users of cloud services are authenticated using a company chosen identity provider. 3. Security when using 3rd party or vendor network + A lot of services and applications used in the cloud are from 3rd party or vendor networks. You may have secured your network, but can not guarantee that their security is adequate. 4, Compliance visibility : Who has access to what ? * When it comes to cloud services, it's important to know who has access to applications and data, where they are accessing it and what they are doing with it. IAM should be able to provide a centralised compliance reports across access rights, provisioning/de-provisioning and end-user and administrator activity. There should be a central visibility and control across all your systems for auditing purposes. Identity and access management is an important aspect of any business. It's a Process that allows organizations to manage user access to data and resources and ensures the security of that data, While the process is not easy, it is important to get it right so it does not become a roadblock to your business. This can be achieved by having the right tools in place and following best practices. TECHNICAL PUBLICATIONS® - an up-thrust for knowledge22 Cloud Computing IAM Architecture and Practice * Fig. 5.4.1 shows architecture of IAM. (uwpy) yesn, seriiod / sejns ss@00y [2] |® oReUUojU! luoneoquatiny aed ‘sdde esudiew3, ‘sseooe uoneoiddy 9 Surpueog Wo/uo ses, (ssausng) 2887) Fig. 5.4.1 Architecture of IAM TECHNICAL PUBLICATIONS® - an up-thrust for knowledge¢ User management : It consists of activities for the control and management over the identity life cycles. Authentication management : It consists of activities for effectively controlling and managing the processes for determining which user is trying to access the services and whether those services are relevant to him or not. Cloud Computing 5-23 Cloud Security | Authorization management : It consists of activities for effectively controlling and managing the processes for determining which services are allowed to access according to the policies made by the administrator of the organization. Access management : It is used in response to a request made by the user wanting to access the resources with the organization. Data management and provisioning : The authorization of data and identity are carried towards the IT resource through automated or manual processes. © Monitoring and auditing : Based on the defined policies the monitoring, auditing and reporting are done by the users regarding their access to resources within the organization. Operational activities of IAM : In this process, we onboard the new users on the organization's system and application and provide them with necessary access to the services and data. Credential and attribute management : Credentials are bound to an individual user and are verified during the authentication process. These processes generally include allotment of username, static or dynamic password, handling the password expiration, encryption management and access policies of the user. . Entitlement management : These are also known as authorization policies in which we address the provisioning and de-provisioning of the privileges provided to the user for accessing the databases, applications and systems. Identity federation management : In this process, we manage the relationships beyond the internal networks of the organization that is among the different organizations. The federations are the associate of the organization that came together for exchanging information about the user's resources to enable | collaboration and transactions. © Centralization of authentication and authorization : It needs to be developed in order to build custom authentication and authorization features into their application, it also promotes the loose coupling architecture. Single Sign’- On © A mechanism enabling one cloud service consumer to be authenticated by a security broker which establishes a security context that is persisted while the | TECHNICAL PUBLICATIONS® - an up-thrust for knowledge=x Cloud Computing 5-24 Cloud Securty cloud service consumer accesses other cloud services or cloud-based IT resources in order for the cloud service consumer not to re-authenticate itself with every subsequent request. Implementation mechanisms * Not a trivial job at all to propagate the authentication and authorization information for a cloud service consumer actoss multiple cloud services, especially With a numerous cloud services or cloud-based IT resources to be invoked as part of the same overall runtime activity. * SSO (or security broker) mechanism to enable mutually independent cloud services and IT resources to generate and circulate runtime authentication and authorization credentials (security token) in order to allow the credentials provided by the cloud service consumer at its login time to be valid through out the duration of the same session. * Security brokerage mechanism is especially useful when a cloud service consumer needs to access cloud services residing on different clouds. * Not to counter security threats directly, but to enhance the usability of cloud-based environments for access and management of distributed IT resources and solutions without violating security policies. RSet 1. What is IAM and detail the segregation roles carried out by IAM when services of multiple organizations are maintained within the same geographical location ? . x Ces